The Information Commissioner has warned firms to expect her organisation to enforce the General Data Protection Regulation (GDPR) immediately, once the new legislation comes into force on May 25 this year.

Elizabeth Denham, who heads the UK data protection regulator, the Information Commissioner’s Office (ICO), commented:

“There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.”

She also said that the GDPR implementation date was not akin to January 1 2000 and the preparations to avoid ‘Millennium Bug’ problems. On that occasion, of course, all contingency planning could cease once we knew that the new century had dawned without any significant issues. Instead, she advised firms “to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”

Ms Denham went on to say that, unlike the Millennium Bug, everyone should know exactly what the GDPR involves. The ICO chief added:

“There were a lot of predictions in the run up to the millennium about what would happen to computer systems when the clock struck midnight. Would banks collapse, power grids fail and chaos ensue?

“But with the GDPR – we all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there, including our Guide to the GDPR, as well as other help from us, from Article 29, from industry associations and data protection experts.

“In summary, the GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will. But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.”

Despite the warnings elsewhere in her blog, the Commissioner suggested that the ICO will take into account the extent to which firms co-operate with regulatory investigations when deciding what penalties to impose. Ms Denham commented:

“Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”

She went on to list five things firms should be doing ahead of the implementation date:

  • Ensuring that there was a commitment to the aims and spirit of GDPR from the firm’s board and senior management
  • Reviewing what personal data the firm holds, where it came from and who they share it with
  • Implementing various ‘accountability measures’, including: appointing a data protection officer if necessary, considering what the firm’s lawful bases for processing data are, reviewing privacy notices, designing and testing their data breach incident procedures and considering what new projects could require a Data Protection Impact Assessment
  • Training staff as to what GDPR means for their role
  • Reviewing the arrangements in place for ensuring security of the data held

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.